Documentation
¶
Overview ¶
Package v1alpha1 is the v1alpha1 version of the Pinniped supervisor identity provider (IDP) API.
Index ¶
- Constants
- Variables
- func Resource(resource string) schema.GroupResource
- type ActiveDirectoryIdentityProvider
- type ActiveDirectoryIdentityProviderBind
- type ActiveDirectoryIdentityProviderGroupSearch
- type ActiveDirectoryIdentityProviderGroupSearchAttributes
- type ActiveDirectoryIdentityProviderList
- type ActiveDirectoryIdentityProviderPhase
- type ActiveDirectoryIdentityProviderSpec
- type ActiveDirectoryIdentityProviderStatus
- type ActiveDirectoryIdentityProviderUserSearch
- type ActiveDirectoryIdentityProviderUserSearchAttributes
- type Condition
- type ConditionStatus
- type LDAPIdentityProvider
- type LDAPIdentityProviderBind
- type LDAPIdentityProviderGroupSearch
- type LDAPIdentityProviderGroupSearchAttributes
- type LDAPIdentityProviderList
- type LDAPIdentityProviderPhase
- type LDAPIdentityProviderSpec
- type LDAPIdentityProviderStatus
- type LDAPIdentityProviderUserSearch
- type LDAPIdentityProviderUserSearchAttributes
- type OIDCAuthorizationConfig
- type OIDCClaims
- type OIDCClient
- type OIDCIdentityProvider
- type OIDCIdentityProviderList
- type OIDCIdentityProviderPhase
- type OIDCIdentityProviderSpec
- type OIDCIdentityProviderStatus
- type Parameter
- type TLSSpec
Constants ¶
View Source
const GroupName = "idp.supervisor.pinniped.dev"
Variables ¶
View Source
var ( SchemeBuilder runtime.SchemeBuilder AddToScheme = localSchemeBuilder.AddToScheme )
View Source
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects.
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource.
Types ¶
type ActiveDirectoryIdentityProvider ¶ added in v0.11.0
type ActiveDirectoryIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec ActiveDirectoryIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status ActiveDirectoryIdentityProviderStatus `json:"status,omitempty"`
}
ActiveDirectoryIdentityProvider describes the configuration of an upstream Microsoft Active Directory identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*ActiveDirectoryIdentityProvider) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProvider) DeepCopy() *ActiveDirectoryIdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProvider.
func (*ActiveDirectoryIdentityProvider) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProvider) DeepCopyInto(out *ActiveDirectoryIdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ActiveDirectoryIdentityProvider) DeepCopyObject ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProvider) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ActiveDirectoryIdentityProviderBind ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderBind struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an Active Directory bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// The password must be non-empty.
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
func (*ActiveDirectoryIdentityProviderBind) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderBind) DeepCopy() *ActiveDirectoryIdentityProviderBind
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderBind.
func (*ActiveDirectoryIdentityProviderBind) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderBind) DeepCopyInto(out *ActiveDirectoryIdentityProviderBind)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ActiveDirectoryIdentityProviderGroupSearch ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderGroupSearch struct {
// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
// "ou=groups,dc=example,dc=com".
// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
// The default behavior searches your entire domain for groups.
// It may make sense to specify a subtree as a search base if you wish to exclude some groups
// for security reasons or to make searches faster.
// +optional
Base string `json:"base,omitempty"`
// Filter is the ActiveDirectory search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
// "&(objectClass=groupOfNames)(member={})". For more information about ActiveDirectory filters, see
// https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the filter were specified as
// "(&(objectClass=group)(member:1.2.840.113556.1.4.1941:={})".
// This searches nested groups by default.
// Note that nested group search can be slow for some Active Directory servers. To disable it,
// you can set the filter to
// "(&(objectClass=group)(member={})"
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the group's information should be read from each ActiveDirectory entry which was found as
// the result of the group search.
// +optional
Attributes ActiveDirectoryIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
// The user's group membership is refreshed as they interact with the supervisor
// to obtain new credentials (as their old credentials expire). This allows group
// membership changes to be quickly reflected into Kubernetes clusters. Since
// group membership is often used to bind authorization policies, it is important
// to keep the groups observed in Kubernetes clusters in-sync with the identity
// provider.
//
// In some environments, frequent group membership queries may result in a
// significant performance impact on the identity provider and/or the supervisor.
// The best approach to handle performance impacts is to tweak the group query
// to be more performant, for example by disabling nested group search or by
// using a more targeted group search base.
//
// If the group search query cannot be made performant and you are willing to
// have group memberships remain static for approximately a day, then set
// skipGroupRefresh to true. This is an insecure configuration as authorization
// policies that are bound to group membership will not notice if a user has
// been removed from a particular group until their next login.
//
// This is an experimental feature that may be removed or significantly altered
// in the future. Consumers of this configuration should carefully read all
// release notes before upgrading to ensure that the meaning of this field has
// not changed.
SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}
func (*ActiveDirectoryIdentityProviderGroupSearch) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearch
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearch.
func (*ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderGroupSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearch)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ActiveDirectoryIdentityProviderGroupSearchAttributes ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderGroupSearchAttributes struct {
// GroupName specifies the name of the attribute in the Active Directory entries whose value shall become a group name
// in the user's list of groups after a successful authentication.
// The value of this field is case-sensitive and must match the case of the attribute name returned by the ActiveDirectory
// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
// Optional. When not specified, this defaults to a custom field that looks like "sAMAccountName@domain",
// where domain is constructed from the domain components of the group DN.
// +optional
GroupName string `json:"groupName,omitempty"`
}
func (*ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderGroupSearchAttributes
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderGroupSearchAttributes.
func (*ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderGroupSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderGroupSearchAttributes)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ActiveDirectoryIdentityProviderList ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ActiveDirectoryIdentityProvider `json:"items"`
}
List of ActiveDirectoryIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*ActiveDirectoryIdentityProviderList) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderList) DeepCopy() *ActiveDirectoryIdentityProviderList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderList.
func (*ActiveDirectoryIdentityProviderList) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderList) DeepCopyInto(out *ActiveDirectoryIdentityProviderList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ActiveDirectoryIdentityProviderList) DeepCopyObject ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ActiveDirectoryIdentityProviderPhase ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderPhase string
const ( // ActiveDirectoryPhasePending is the default phase for newly-created ActiveDirectoryIdentityProvider resources. ActiveDirectoryPhasePending ActiveDirectoryIdentityProviderPhase = "Pending" // ActiveDirectoryPhaseReady is the phase for an ActiveDirectoryIdentityProvider resource in a healthy state. ActiveDirectoryPhaseReady ActiveDirectoryIdentityProviderPhase = "Ready" // ActiveDirectoryPhaseError is the phase for an ActiveDirectoryIdentityProvider in an unhealthy state. ActiveDirectoryPhaseError ActiveDirectoryIdentityProviderPhase = "Error" )
type ActiveDirectoryIdentityProviderSpec ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderSpec struct {
// Host is the hostname of this Active Directory identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1
Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *TLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the ActiveDirectory server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind ActiveDirectoryIdentityProviderBind `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in Active Directory.
UserSearch ActiveDirectoryIdentityProviderUserSearch `json:"userSearch,omitempty"`
// GroupSearch contains the configuration for searching for a user's group membership in ActiveDirectory.
GroupSearch ActiveDirectoryIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
}
Spec for configuring an ActiveDirectory identity provider.
func (*ActiveDirectoryIdentityProviderSpec) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderSpec) DeepCopy() *ActiveDirectoryIdentityProviderSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderSpec.
func (*ActiveDirectoryIdentityProviderSpec) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderSpec) DeepCopyInto(out *ActiveDirectoryIdentityProviderSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ActiveDirectoryIdentityProviderStatus ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderStatus struct {
// Phase summarizes the overall status of the ActiveDirectoryIdentityProvider.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase ActiveDirectoryIdentityProviderPhase `json:"phase,omitempty"`
// Represents the observations of an identity provider's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
Status of an Active Directory identity provider.
func (*ActiveDirectoryIdentityProviderStatus) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderStatus) DeepCopy() *ActiveDirectoryIdentityProviderStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderStatus.
func (*ActiveDirectoryIdentityProviderStatus) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderStatus) DeepCopyInto(out *ActiveDirectoryIdentityProviderStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ActiveDirectoryIdentityProviderUserSearch ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderUserSearch struct {
// Base is the dn (distinguished name) that should be used as the search base when searching for users.
// E.g. "ou=users,dc=example,dc=com".
// Optional, when not specified it will be based on the result of a query for the defaultNamingContext
// (see https://docs.microsoft.com/en-us/windows/win32/adschema/rootdse).
// The default behavior searches your entire domain for users.
// It may make sense to specify a subtree as a search base if you wish to exclude some users
// or to make searches faster.
// +optional
Base string `json:"base,omitempty"`
// Filter is the search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
// https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will be
// '(&(objectClass=person)(!(objectClass=computer))(!(showInAdvancedViewOnly=TRUE))(|(sAMAccountName={}")(mail={})(userPrincipalName={})(sAMAccountType=805306368))'
// This means that the user is a person, is not a computer, the sAMAccountType is for a normal user account,
// and is not shown in advanced view only
// (which would likely mean its a system created service account with advanced permissions).
// Also, either the sAMAccountName, the userPrincipalName, or the mail attribute matches the input username.
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the ActiveDirectory entry which was found as
// the result of the user search.
// +optional
Attributes ActiveDirectoryIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
}
func (*ActiveDirectoryIdentityProviderUserSearch) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopy() *ActiveDirectoryIdentityProviderUserSearch
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearch.
func (*ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderUserSearch) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearch)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ActiveDirectoryIdentityProviderUserSearchAttributes ¶ added in v0.11.0
type ActiveDirectoryIdentityProviderUserSearchAttributes struct {
// Username specifies the name of the attribute in Active Directory entry whose value shall become the username
// of the user after a successful authentication.
// Optional, when empty this defaults to "userPrincipalName".
// +optional
Username string `json:"username,omitempty"`
// UID specifies the name of the attribute in the ActiveDirectory entry which whose value shall be used to uniquely
// identify the user within this ActiveDirectory provider after a successful authentication.
// Optional, when empty this defaults to "objectGUID".
// +optional
UID string `json:"uid,omitempty"`
}
func (*ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopy() *ActiveDirectoryIdentityProviderUserSearchAttributes
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryIdentityProviderUserSearchAttributes.
func (*ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto ¶ added in v0.11.0
func (in *ActiveDirectoryIdentityProviderUserSearchAttributes) DeepCopyInto(out *ActiveDirectoryIdentityProviderUserSearchAttributes)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Condition ¶
type Condition struct {
// type of condition in CamelCase or in foo.example.com/CamelCase.
// ---
// Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
// useful (see .node.status.conditions), the ability to deconflict is important.
// The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$`
// +kubebuilder:validation:MaxLength=316
Type string `json:"type"`
// status of the condition, one of True, False, Unknown.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Enum=True;False;Unknown
Status ConditionStatus `json:"status"`
// observedGeneration represents the .metadata.generation that the condition was set based upon.
// For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
// with respect to the current state of the instance.
// +optional
// +kubebuilder:validation:Minimum=0
ObservedGeneration int64 `json:"observedGeneration,omitempty"`
// lastTransitionTime is the last time the condition transitioned from one status to another.
// This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:Type=string
// +kubebuilder:validation:Format=date-time
LastTransitionTime metav1.Time `json:"lastTransitionTime"`
// reason contains a programmatic identifier indicating the reason for the condition's last transition.
// Producers of specific condition types may define expected values and meanings for this field,
// and whether the values are considered a guaranteed API.
// The value should be a CamelCase string.
// This field may not be empty.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=1024
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$`
Reason string `json:"reason"`
// message is a human readable message indicating details about the transition.
// This may be an empty string.
// +required
// +kubebuilder:validation:Required
// +kubebuilder:validation:MaxLength=32768
Message string `json:"message"`
}
Condition status of a resource (mirrored from the metav1.Condition type added in Kubernetes 1.19). In a future API version we can switch to using the upstream type. See https://github.com/kubernetes/apimachinery/blob/v0.19.0/pkg/apis/meta/v1/types.go#L1353-L1413.
func (*Condition) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (*Condition) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ConditionStatus ¶
type ConditionStatus string
ConditionStatus is effectively an enum type for Condition.Status.
const ( ConditionTrue ConditionStatus = "True" ConditionFalse ConditionStatus = "False" ConditionUnknown ConditionStatus = "Unknown" )
These are valid condition statuses. "ConditionTrue" means a resource is in the condition. "ConditionFalse" means a resource is not in the condition. "ConditionUnknown" means kubernetes can't decide if a resource is in the condition or not. In the future, we could add other intermediate conditions, e.g. ConditionDegraded.
type LDAPIdentityProvider ¶ added in v0.9.0
type LDAPIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec LDAPIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status LDAPIdentityProviderStatus `json:"status,omitempty"`
}
LDAPIdentityProvider describes the configuration of an upstream Lightweight Directory Access Protocol (LDAP) identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Host",type=string,JSONPath=`.spec.host` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*LDAPIdentityProvider) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProvider) DeepCopy() *LDAPIdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProvider.
func (*LDAPIdentityProvider) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProvider) DeepCopyInto(out *LDAPIdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*LDAPIdentityProvider) DeepCopyObject ¶ added in v0.9.0
func (in *LDAPIdentityProvider) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type LDAPIdentityProviderBind ¶ added in v0.9.0
type LDAPIdentityProviderBind struct {
// SecretName contains the name of a namespace-local Secret object that provides the username and
// password for an LDAP bind user. This account will be used to perform LDAP searches. The Secret should be
// of type "kubernetes.io/basic-auth" which includes "username" and "password" keys. The username value
// should be the full dn (distinguished name) of your bind account, e.g. "cn=bind-account,ou=users,dc=example,dc=com".
// The password must be non-empty.
// +kubebuilder:validation:MinLength=1
SecretName string `json:"secretName"`
}
func (*LDAPIdentityProviderBind) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderBind) DeepCopy() *LDAPIdentityProviderBind
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderBind.
func (*LDAPIdentityProviderBind) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderBind) DeepCopyInto(out *LDAPIdentityProviderBind)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LDAPIdentityProviderGroupSearch ¶ added in v0.9.0
type LDAPIdentityProviderGroupSearch struct {
// Base is the dn (distinguished name) that should be used as the search base when searching for groups. E.g.
// "ou=groups,dc=example,dc=com". When not specified, no group search will be performed and
// authenticated users will not belong to any groups from the LDAP provider. Also, when not specified,
// the values of Filter and Attributes are ignored.
// +optional
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for groups for a user.
// The pattern "{}" must occur in the filter at least once and will be dynamically replaced by the
// dn (distinguished name) of the user entry found as a result of the user search. E.g. "member={}" or
// "&(objectClass=groupOfNames)(member={})". For more information about LDAP filters, see
// https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the Filter were specified as "member={}".
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the group's information should be read from each LDAP entry which was found as
// the result of the group search.
// +optional
Attributes LDAPIdentityProviderGroupSearchAttributes `json:"attributes,omitempty"`
// The user's group membership is refreshed as they interact with the supervisor
// to obtain new credentials (as their old credentials expire). This allows group
// membership changes to be quickly reflected into Kubernetes clusters. Since
// group membership is often used to bind authorization policies, it is important
// to keep the groups observed in Kubernetes clusters in-sync with the identity
// provider.
//
// In some environments, frequent group membership queries may result in a
// significant performance impact on the identity provider and/or the supervisor.
// The best approach to handle performance impacts is to tweak the group query
// to be more performant, for example by disabling nested group search or by
// using a more targeted group search base.
//
// If the group search query cannot be made performant and you are willing to
// have group memberships remain static for approximately a day, then set
// skipGroupRefresh to true. This is an insecure configuration as authorization
// policies that are bound to group membership will not notice if a user has
// been removed from a particular group until their next login.
//
// This is an experimental feature that may be removed or significantly altered
// in the future. Consumers of this configuration should carefully read all
// release notes before upgrading to ensure that the meaning of this field has
// not changed.
SkipGroupRefresh bool `json:"skipGroupRefresh,omitempty"`
}
func (*LDAPIdentityProviderGroupSearch) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderGroupSearch) DeepCopy() *LDAPIdentityProviderGroupSearch
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearch.
func (*LDAPIdentityProviderGroupSearch) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderGroupSearch) DeepCopyInto(out *LDAPIdentityProviderGroupSearch)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LDAPIdentityProviderGroupSearchAttributes ¶ added in v0.9.0
type LDAPIdentityProviderGroupSearchAttributes struct {
// GroupName specifies the name of the attribute in the LDAP entries whose value shall become a group name
// in the user's list of groups after a successful authentication.
// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
// server in the user's entry. E.g. "cn" for common name. Distinguished names can be used by specifying lower-case "dn".
// Optional. When not specified, the default will act as if the GroupName were specified as "dn" (distinguished name).
// +optional
GroupName string `json:"groupName,omitempty"`
}
func (*LDAPIdentityProviderGroupSearchAttributes) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopy() *LDAPIdentityProviderGroupSearchAttributes
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderGroupSearchAttributes.
func (*LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderGroupSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderGroupSearchAttributes)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LDAPIdentityProviderList ¶ added in v0.9.0
type LDAPIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []LDAPIdentityProvider `json:"items"`
}
List of LDAPIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*LDAPIdentityProviderList) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderList) DeepCopy() *LDAPIdentityProviderList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderList.
func (*LDAPIdentityProviderList) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderList) DeepCopyInto(out *LDAPIdentityProviderList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*LDAPIdentityProviderList) DeepCopyObject ¶ added in v0.9.0
func (in *LDAPIdentityProviderList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type LDAPIdentityProviderPhase ¶ added in v0.9.0
type LDAPIdentityProviderPhase string
const ( // LDAPPhasePending is the default phase for newly-created LDAPIdentityProvider resources. LDAPPhasePending LDAPIdentityProviderPhase = "Pending" // LDAPPhaseReady is the phase for an LDAPIdentityProvider resource in a healthy state. LDAPPhaseReady LDAPIdentityProviderPhase = "Ready" // LDAPPhaseError is the phase for an LDAPIdentityProvider in an unhealthy state. LDAPPhaseError LDAPIdentityProviderPhase = "Error" )
type LDAPIdentityProviderSpec ¶ added in v0.9.0
type LDAPIdentityProviderSpec struct {
// Host is the hostname of this LDAP identity provider, i.e., where to connect. For example: ldap.example.com:636.
// +kubebuilder:validation:MinLength=1
Host string `json:"host"`
// TLS contains the connection settings for how to establish the connection to the Host.
TLS *TLSSpec `json:"tls,omitempty"`
// Bind contains the configuration for how to provide access credentials during an initial bind to the LDAP server
// to be allowed to perform searches and binds to validate a user's credentials during a user's authentication attempt.
Bind LDAPIdentityProviderBind `json:"bind,omitempty"`
// UserSearch contains the configuration for searching for a user by name in the LDAP provider.
UserSearch LDAPIdentityProviderUserSearch `json:"userSearch,omitempty"`
// GroupSearch contains the configuration for searching for a user's group membership in the LDAP provider.
GroupSearch LDAPIdentityProviderGroupSearch `json:"groupSearch,omitempty"`
}
Spec for configuring an LDAP identity provider.
func (*LDAPIdentityProviderSpec) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderSpec) DeepCopy() *LDAPIdentityProviderSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderSpec.
func (*LDAPIdentityProviderSpec) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderSpec) DeepCopyInto(out *LDAPIdentityProviderSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LDAPIdentityProviderStatus ¶ added in v0.9.0
type LDAPIdentityProviderStatus struct {
// Phase summarizes the overall status of the LDAPIdentityProvider.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase LDAPIdentityProviderPhase `json:"phase,omitempty"`
// Represents the observations of an identity provider's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
Status of an LDAP identity provider.
func (*LDAPIdentityProviderStatus) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderStatus) DeepCopy() *LDAPIdentityProviderStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderStatus.
func (*LDAPIdentityProviderStatus) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderStatus) DeepCopyInto(out *LDAPIdentityProviderStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LDAPIdentityProviderUserSearch ¶ added in v0.9.0
type LDAPIdentityProviderUserSearch struct {
// Base is the dn (distinguished name) that should be used as the search base when searching for users.
// E.g. "ou=users,dc=example,dc=com".
// +kubebuilder:validation:MinLength=1
Base string `json:"base,omitempty"`
// Filter is the LDAP search filter which should be applied when searching for users. The pattern "{}" must occur
// in the filter at least once and will be dynamically replaced by the username for which the search is being run.
// E.g. "mail={}" or "&(objectClass=person)(uid={})". For more information about LDAP filters, see
// https://ldap.com/ldap-filters.
// Note that the dn (distinguished name) is not an attribute of an entry, so "dn={}" cannot be used.
// Optional. When not specified, the default will act as if the Filter were specified as the value from
// Attributes.Username appended by "={}". When the Attributes.Username is set to "dn" then the Filter must be
// explicitly specified, since the default value of "dn={}" would not work.
// +optional
Filter string `json:"filter,omitempty"`
// Attributes specifies how the user's information should be read from the LDAP entry which was found as
// the result of the user search.
// +optional
Attributes LDAPIdentityProviderUserSearchAttributes `json:"attributes,omitempty"`
}
func (*LDAPIdentityProviderUserSearch) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderUserSearch) DeepCopy() *LDAPIdentityProviderUserSearch
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearch.
func (*LDAPIdentityProviderUserSearch) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderUserSearch) DeepCopyInto(out *LDAPIdentityProviderUserSearch)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type LDAPIdentityProviderUserSearchAttributes ¶ added in v0.9.0
type LDAPIdentityProviderUserSearchAttributes struct {
// Username specifies the name of the attribute in the LDAP entry whose value shall become the username
// of the user after a successful authentication. This would typically be the same attribute name used in
// the user search filter, although it can be different. E.g. "mail" or "uid" or "userPrincipalName".
// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
// server in the user's entry. Distinguished names can be used by specifying lower-case "dn". When this field
// is set to "dn" then the LDAPIdentityProviderUserSearch's Filter field cannot be blank, since the default
// value of "dn={}" would not work.
// +kubebuilder:validation:MinLength=1
Username string `json:"username,omitempty"`
// UID specifies the name of the attribute in the LDAP entry which whose value shall be used to uniquely
// identify the user within this LDAP provider after a successful authentication. E.g. "uidNumber" or "objectGUID".
// The value of this field is case-sensitive and must match the case of the attribute name returned by the LDAP
// server in the user's entry. Distinguished names can be used by specifying lower-case "dn".
// +kubebuilder:validation:MinLength=1
UID string `json:"uid,omitempty"`
}
func (*LDAPIdentityProviderUserSearchAttributes) DeepCopy ¶ added in v0.9.0
func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopy() *LDAPIdentityProviderUserSearchAttributes
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LDAPIdentityProviderUserSearchAttributes.
func (*LDAPIdentityProviderUserSearchAttributes) DeepCopyInto ¶ added in v0.9.0
func (in *LDAPIdentityProviderUserSearchAttributes) DeepCopyInto(out *LDAPIdentityProviderUserSearchAttributes)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCAuthorizationConfig ¶
type OIDCAuthorizationConfig struct {
// additionalScopes are the additional scopes that will be requested from your OIDC provider in the authorization
// request during an OIDC Authorization Code Flow and in the token request during a Resource Owner Password Credentials
// Grant. Note that the "openid" scope will always be requested regardless of the value in this setting, since it is
// always required according to the OIDC spec. By default, when this field is not set, the Supervisor will request
// the following scopes: "openid", "offline_access", "email", and "profile". See
// https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims for a description of the "profile" and "email"
// scopes. See https://openid.net/specs/openid-connect-core-1_0.html#OfflineAccess for a description of the
// "offline_access" scope. This default value may change in future versions of Pinniped as the standard evolves,
// or as common patterns used by providers who implement the standard in the ecosystem evolve.
// By setting this list to anything other than an empty list, you are overriding the
// default value, so you may wish to include some of "offline_access", "email", and "profile" in your override list.
// If you do not want any of these scopes to be requested, you may set this list to contain only "openid".
// Some OIDC providers may also require a scope to get access to the user's group membership, in which case you
// may wish to include it in this list. Sometimes the scope to request the user's group membership is called
// "groups", but unfortunately this is not specified in the OIDC standard.
// Generally speaking, you should include any scopes required to cause the appropriate claims to be the returned by
// your OIDC provider in the ID token or userinfo endpoint results for those claims which you would like to use in
// the oidcClaims settings to determine the usernames and group memberships of your Kubernetes users. See
// your OIDC provider's documentation for more information about what scopes are available to request claims.
// Additionally, the Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the Supervisor
// from these authorization flows. For most OIDC providers, the scope required to receive refresh tokens will be
// "offline_access". See the documentation of your OIDC provider's authorization and token endpoints for its
// requirements for what to include in the request in order to receive a refresh token in the response, if anything.
// Note that it may be safe to send "offline_access" even to providers which do not require it, since the provider
// may ignore scopes that it does not understand or require (see
// https://datatracker.ietf.org/doc/html/rfc6749#section-3.3). In the unusual case that you must avoid sending the
// "offline_access" scope, then you must override the default value of this setting. This is required if your OIDC
// provider will reject the request when it includes "offline_access" (e.g. GitLab's OIDC provider).
// +optional
AdditionalScopes []string `json:"additionalScopes,omitempty"`
// additionalAuthorizeParameters are extra query parameters that should be included in the authorize request to your
// OIDC provider in the authorization request during an OIDC Authorization Code Flow. By default, no extra
// parameters are sent. The standard parameters that will be sent are "response_type", "scope", "client_id",
// "state", "nonce", "code_challenge", "code_challenge_method", and "redirect_uri". These parameters cannot be
// included in this setting. Additionally, the "hd" parameter cannot be included in this setting at this time.
// The "hd" parameter is used by Google's OIDC provider to provide a hint as to which "hosted domain" the user
// should use during login. However, Pinniped does not yet support validating the hosted domain in the resulting
// ID token, so it is not yet safe to use this feature of Google's OIDC provider with Pinniped.
// This setting does not influence the parameters sent to the token endpoint in the Resource Owner Password
// Credentials Grant. The Pinniped Supervisor requires that your OIDC provider returns refresh tokens to the
// Supervisor from the authorization flows. Some OIDC providers may require a certain value for the "prompt"
// parameter in order to properly request refresh tokens. See the documentation of your OIDC provider's
// authorization endpoint for its requirements for what to include in the request in order to receive a refresh
// token in the response, if anything. If your provider requires the prompt parameter to request a refresh token,
// then include it here. Also note that most providers also require a certain scope to be requested in order to
// receive refresh tokens. See the additionalScopes setting for more information about using scopes to request
// refresh tokens.
// +optional
// +patchMergeKey=name
// +patchStrategy=merge
// +listType=map
// +listMapKey=name
AdditionalAuthorizeParameters []Parameter `json:"additionalAuthorizeParameters,omitempty"`
// allowPasswordGrant, when true, will allow the use of OAuth 2.0's Resource Owner Password Credentials Grant
// (see https://datatracker.ietf.org/doc/html/rfc6749#section-4.3) to authenticate to the OIDC provider using a
// username and password without a web browser, in addition to the usual browser-based OIDC Authorization Code Flow.
// The Resource Owner Password Credentials Grant is not officially part of the OIDC specification, so it may not be
// supported by your OIDC provider. If your OIDC provider supports returning ID tokens from a Resource Owner Password
// Credentials Grant token request, then you can choose to set this field to true. This will allow end users to choose
// to present their username and password to the kubectl CLI (using the Pinniped plugin) to authenticate to the
// cluster, without using a web browser to log in as is customary in OIDC Authorization Code Flow. This may be
// convenient for users, especially for identities from your OIDC provider which are not intended to represent a human
// actor, such as service accounts performing actions in a CI/CD environment. Even if your OIDC provider supports it,
// you may wish to disable this behavior by setting this field to false when you prefer to only allow users of this
// OIDCIdentityProvider to log in via the browser-based OIDC Authorization Code Flow. Using the Resource Owner Password
// Credentials Grant means that the Pinniped CLI and Pinniped Supervisor will directly handle your end users' passwords
// (similar to LDAPIdentityProvider), and you will not be able to require multi-factor authentication or use the other
// web-based login features of your OIDC provider during Resource Owner Password Credentials Grant logins.
// allowPasswordGrant defaults to false.
// +optional
AllowPasswordGrant bool `json:"allowPasswordGrant,omitempty"`
}
OIDCAuthorizationConfig provides information about how to form the OAuth2 authorization request parameters.
func (*OIDCAuthorizationConfig) DeepCopy ¶
func (in *OIDCAuthorizationConfig) DeepCopy() *OIDCAuthorizationConfig
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCAuthorizationConfig.
func (*OIDCAuthorizationConfig) DeepCopyInto ¶
func (in *OIDCAuthorizationConfig) DeepCopyInto(out *OIDCAuthorizationConfig)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClaims ¶
type OIDCClaims struct {
// Groups provides the name of the ID token claim or userinfo endpoint response claim that will be used to ascertain
// the groups to which an identity belongs. By default, the identities will not include any group memberships when
// this setting is not configured.
// +optional
Groups string `json:"groups"`
// Username provides the name of the ID token claim or userinfo endpoint response claim that will be used to
// ascertain an identity's username. When not set, the username will be an automatically constructed unique string
// which will include the issuer URL of your OIDC provider along with the value of the "sub" (subject) claim from
// the ID token.
// +optional
Username string `json:"username"`
// AdditionalClaimMappings allows for additional arbitrary upstream claim values to be mapped into the
// "additionalClaims" claim of the ID tokens generated by the Supervisor. This should be specified as a map of
// new claim names as the keys, and upstream claim names as the values. These new claim names will be nested
// under the top-level "additionalClaims" claim in ID tokens generated by the Supervisor when this
// OIDCIdentityProvider was used for user authentication. These claims will be made available to all clients.
// This feature is not required to use the Supervisor to provide authentication for Kubernetes clusters, but can be
// used when using the Supervisor for other authentication purposes. When this map is empty or the upstream claims
// are not available, the "additionalClaims" claim will be excluded from the ID tokens generated by the Supervisor.
// +optional
AdditionalClaimMappings map[string]string `json:"additionalClaimMappings,omitempty"`
}
OIDCClaims provides a mapping from upstream claims into identities.
func (*OIDCClaims) DeepCopy ¶
func (in *OIDCClaims) DeepCopy() *OIDCClaims
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClaims.
func (*OIDCClaims) DeepCopyInto ¶
func (in *OIDCClaims) DeepCopyInto(out *OIDCClaims)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCClient ¶
type OIDCClient struct {
// SecretName contains the name of a namespace-local Secret object that provides the clientID and
// clientSecret for an OIDC client. If only the SecretName is specified in an OIDCClient
// struct, then it is expected that the Secret is of type "secrets.pinniped.dev/oidc-client" with keys
// "clientID" and "clientSecret".
SecretName string `json:"secretName"`
}
OIDCClient contains information about an OIDC client (e.g., client ID and client secret).
func (*OIDCClient) DeepCopy ¶
func (in *OIDCClient) DeepCopy() *OIDCClient
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCClient.
func (*OIDCClient) DeepCopyInto ¶
func (in *OIDCClient) DeepCopyInto(out *OIDCClient)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCIdentityProvider ¶
type OIDCIdentityProvider struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
// Spec for configuring the identity provider.
Spec OIDCIdentityProviderSpec `json:"spec"`
// Status of the identity provider.
Status OIDCIdentityProviderStatus `json:"status,omitempty"`
}
OIDCIdentityProvider describes the configuration of an upstream OpenID Connect identity provider. +genclient +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:resource:categories=pinniped;pinniped-idp;pinniped-idps +kubebuilder:printcolumn:name="Issuer",type=string,JSONPath=`.spec.issuer` +kubebuilder:printcolumn:name="Status",type=string,JSONPath=`.status.phase` +kubebuilder:printcolumn:name="Age",type=date,JSONPath=`.metadata.creationTimestamp` +kubebuilder:subresource:status
func (*OIDCIdentityProvider) DeepCopy ¶
func (in *OIDCIdentityProvider) DeepCopy() *OIDCIdentityProvider
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProvider.
func (*OIDCIdentityProvider) DeepCopyInto ¶
func (in *OIDCIdentityProvider) DeepCopyInto(out *OIDCIdentityProvider)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCIdentityProvider) DeepCopyObject ¶
func (in *OIDCIdentityProvider) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCIdentityProviderList ¶
type OIDCIdentityProviderList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []OIDCIdentityProvider `json:"items"`
}
OIDCIdentityProviderList lists OIDCIdentityProvider objects. +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
func (*OIDCIdentityProviderList) DeepCopy ¶
func (in *OIDCIdentityProviderList) DeepCopy() *OIDCIdentityProviderList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderList.
func (*OIDCIdentityProviderList) DeepCopyInto ¶
func (in *OIDCIdentityProviderList) DeepCopyInto(out *OIDCIdentityProviderList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*OIDCIdentityProviderList) DeepCopyObject ¶
func (in *OIDCIdentityProviderList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type OIDCIdentityProviderPhase ¶
type OIDCIdentityProviderPhase string
const ( // PhasePending is the default phase for newly-created OIDCIdentityProvider resources. PhasePending OIDCIdentityProviderPhase = "Pending" // PhaseReady is the phase for an OIDCIdentityProvider resource in a healthy state. PhaseReady OIDCIdentityProviderPhase = "Ready" // PhaseError is the phase for an OIDCIdentityProvider in an unhealthy state. PhaseError OIDCIdentityProviderPhase = "Error" )
type OIDCIdentityProviderSpec ¶
type OIDCIdentityProviderSpec struct {
// Issuer is the issuer URL of this OIDC identity provider, i.e., where to fetch
// /.well-known/openid-configuration.
// +kubebuilder:validation:MinLength=1
// +kubebuilder:validation:Pattern=`^https://`
Issuer string `json:"issuer"`
// TLS configuration for discovery/JWKS requests to the issuer.
// +optional
TLS *TLSSpec `json:"tls,omitempty"`
// AuthorizationConfig holds information about how to form the OAuth2 authorization request
// parameters to be used with this OIDC identity provider.
// +optional
AuthorizationConfig OIDCAuthorizationConfig `json:"authorizationConfig,omitempty"`
// Claims provides the names of token claims that will be used when inspecting an identity from
// this OIDC identity provider.
// +optional
Claims OIDCClaims `json:"claims"`
// OIDCClient contains OIDC client information to be used used with this OIDC identity
// provider.
Client OIDCClient `json:"client"`
}
OIDCIdentityProviderSpec is the spec for configuring an OIDC identity provider.
func (*OIDCIdentityProviderSpec) DeepCopy ¶
func (in *OIDCIdentityProviderSpec) DeepCopy() *OIDCIdentityProviderSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderSpec.
func (*OIDCIdentityProviderSpec) DeepCopyInto ¶
func (in *OIDCIdentityProviderSpec) DeepCopyInto(out *OIDCIdentityProviderSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OIDCIdentityProviderStatus ¶
type OIDCIdentityProviderStatus struct {
// Phase summarizes the overall status of the OIDCIdentityProvider.
// +kubebuilder:default=Pending
// +kubebuilder:validation:Enum=Pending;Ready;Error
Phase OIDCIdentityProviderPhase `json:"phase,omitempty"`
// Represents the observations of an identity provider's current state.
// +patchMergeKey=type
// +patchStrategy=merge
// +listType=map
// +listMapKey=type
Conditions []Condition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"`
}
OIDCIdentityProviderStatus is the status of an OIDC identity provider.
func (*OIDCIdentityProviderStatus) DeepCopy ¶
func (in *OIDCIdentityProviderStatus) DeepCopy() *OIDCIdentityProviderStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OIDCIdentityProviderStatus.
func (*OIDCIdentityProviderStatus) DeepCopyInto ¶
func (in *OIDCIdentityProviderStatus) DeepCopyInto(out *OIDCIdentityProviderStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Parameter ¶ added in v0.13.0
type Parameter struct {
// The name of the parameter. Required.
// +kubebuilder:validation:MinLength=1
Name string `json:"name"`
// The value of the parameter.
// +optional
Value string `json:"value,omitempty"`
}
Parameter is a key/value pair which represents a parameter in an HTTP request.
func (*Parameter) DeepCopy ¶ added in v0.13.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Parameter.
func (*Parameter) DeepCopyInto ¶ added in v0.13.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TLSSpec ¶
type TLSSpec struct {
// X.509 Certificate Authority (base64-encoded PEM bundle). If omitted, a default set of system roots will be trusted.
// +optional
CertificateAuthorityData string `json:"certificateAuthorityData,omitempty"`
}
Configuration for TLS parameters related to identity provider integration.
func (*TLSSpec) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSSpec.
func (*TLSSpec) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files
Click to show internal directories.
Click to hide internal directories.